Order  Code  RL33670 


CRS  Report  for  Congress 

Received  through  the  CRS  Web 


Protection  of  Security-Related  Information 


September  27,  2006 


Gina  Marie  Stevens  and  Todd  B.  Tatelman 

Legislative  Attorneys 
American  Law  Division 


Congressional  Research  Service  ❖  The  Library  of  Congress 


Report  Documentation  Page 

Form  Approved 

OMB  No.  0704-0188 

Public  reporting  burden  for  the  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington 

VA  22202-4302.  Respondents  should  be  aware  that  notwithstanding  any  other  provision  of  law,  no  person  shall  be  subject  to  a  penalty  for  failing  to  comply  with  a  collection  of  information  if  it 
does  not  display  a  currently  valid  OMB  control  number. 

1 .  REPORT  DATE  2.  REPORT  TYPE 

27  SEP  2006  N/A 

3.  DATES  COVERED 

4.  TITLE  AND  SUBTITLE 

Protection  of  Security-Related  Information 

5a.  CONTRACT  NUMBER 

5b.  GRANT  NUMBER 

5c.  PROGRAM  ELEMENT  NUMBER 

6.  AUTHOR(S) 

5d.  PROJECT  NUMBER 

5e.  TASK  NUMBER 

5f.  WORK  UNIT  NUMBER 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

Congressional  Research  Service  The  Library  of  Congress  101 
Independence  Ave.  SE  Washington,  DC  20540-7500 

8.  PERFORMING  ORGANIZATION 

REPORT  NUMBER 

9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

10.  SPONSOR/MONITOR'S  ACRONYM(S) 

11.  SPONSOR/MONITOR'S  REPORT 
NUMBER(S) 

12.  DISTRIBUTION/AVAILABILITY  STATEMENT 

Approved  for  public  release,  distribution  unlimited 

13.  SUPPLEMENTARY  NOTES 

14.  ABSTRACT 

15.  SUBJECT  TERMS 

16.  SECURITY  CLASSIFICATION  OF:  17.  LIMITATION  OF 

18.  NUMBER  19a.  NAME  OF 

a.  REPORT  b.  ABSTRACT  c.  THIS  PAGE  S  AR 

unclassified  unclassified  unclassified 

29 

Standard  Form  298  (Rev.  8-98) 

Prescribed  by  ANSI  Std  Z39-18 


Protection  of  Security-Related  Information 


Summary 

The  terrorist  attacks  of  September  1 1  prompted  a  reevaluation  of  how  to  balance 
public  access  to  information  with  the  need  for  safety  and  security.  The  accumulation 
of  confidential  business  information  from  owners  and  operators  of  the  nation’s 
critical  infrastructures,  85%  of  which  is  reportedly  owned  by  the  private  sector, 
continues  to  be  an  important  component  of  homeland  security  efforts.  Critical 
infrastructure  sectors  have  been  defined  to  include  information  technology; 
telecommunications;  chemicals;  transportation  systems;  including  mass  transit, 
aviation,  maritime,  ground/surface,  and  rail  and  pipeline  systems;  emergency 
services;  postal  and  shipping;  agriculture  and  food;  public  health  and  healthcare; 
drinking  water  and  water  treatment  systems;  energy,  including  oil  and  gas  and 
electric  power;  banking  and  finance;  the  defense  industrial  base;  and  national 
monuments  and  icons.  The  Freedom  of  Information  Act  of  1974  (FOIA)  along  with 
other  statutes  and  regulations  provide  legal  authorities  for  the  protection  of  various 
types  of  security-related  information.  Nevertheless,  some  owners  and  operators  are 
hesitant  to  voluntarily  share  security-related  information  with  the  government 
because  of  the  possible  disclosure  of  this  information  to  the  public.  To  prohibit 
public  disclosure  of  security-related  information  under  the  Freedom  of  Information 
Act  and  other  laws,  Congress  has  drafted  and  passed  legislation  designed  to  remove 
legal  obstacles  to  information  sharing.  The  Aviation  and  Transportation  Security  Act 
of  2001  (ATSA);  the  Critical  Infrastructure  Information  Act  of  2002  in  section  214 
of  the  Homeland  Security  Act;  the  Maritime  Transportation  Security  Act  of  2002 
(MTSA);  and  the  Safe  Drinking  Water  Act  (SDWA),  as  amended  by  the  Public 
Health  Security  and  Bioterrorism  Preparedness  and  Response  Act  of  2002,  each 
exempt  certain  types  of  security-related  information  from  disclosure  under  the 
Freedom  of  Information  Act.  These  statutes  are  examples  of  what  are  referred  to  as 
FOIA  exemption  3  statutes;  separate  federal  statutes  prohibiting  the  disclosure  of  a 
certain  type  of  information  and  authorizing  its  withholding  under  FOIA  subsection 
(b)(3). 

This  report  describes  the  current  state  of  the  law  with  regard  to  the  protection 
of  security-related  information. 


Contents 


Introduction  . 1 

The  Freedom  of  Information  Act  (FOIA)  . 1 

Exemption  4  —  Commercial  or  Financial  Information . 4 

Exemption  3  —  Information  Protected  By  Other  Statutes . 6 

The  Maritime  Transportation  Security  Act  of  2002  (MTSA)  ....  9 
The  Aviation  and  Transportation  Security  Act  2001  (ATSA)  ...  10 

The  Safe  Drinking  Water  Act  (SDWA) . 10 

Critical  Infrastructure  Information  Act  of  2002  (CIIA) . 11 

Definitions . 11 

Protected  Critical  Infrastructure  Information  (PCII)  . 12 

Freedom  of  Information  Act  . 13 

Ex  Parte  Communications  in  Agency  Proceedings . 13 

Prohibition  on  Use  of  PCII  in  Civil  Actions  . 14 

Prohibited  and  Protected  Disclosures  . 14 

Access  under  State  and  Local  Laws . 15 

Waiver  of  Privileges  . 15 

Federal  Advisory  Committee  Act  . 15 

Independently  Obtained  Information . 16 

Voluntary  Submissions  to  the  Government . 17 

Safeguards  for  PCII . 17 

Criminal  Penalties  . 17 

Other  Provisions  . 18 

Final  Regulations . 18 

Air  Transportation  Security  Act  of  1974  .  19 

Sensitive  Security  Information  (SSI) . 19 

Further  Statutory  Expansion  of  SSI  Authority . 20 

Judicial  Review  of  SSI  Classification  . 23 


Protection  of  Security-Related  Information 

Introduction 

The  terrorist  attacks  of  September  1 1  prompted  a  limiting  of  public  access  to 
government  information  developed,  obtained,  or  compiled  for  homeland  security 
purposes.  The  accumulation  of  confidential  business  information  from  owners  and 
operators  of  the  nation’s  critical  infrastructures,  85%  of  which  is  reportedly  owned 
by  the  private  sector,  continues  to  be  a  critical  component  of  homeland  security 
efforts.  Concerns  that  competitors,  terrorists,  and  other  “bad  actors”  might  gain 
access  to  security-related  information  under  the  Freedom  of  Information  Act  (FOIA) 
prompted  new  confidentiality  protections  to  promote  information  sharing  between 
the  private  sector  and  the  federal  government  and  to  prevent  disclosure  of  certain 
types  of  security-related  information  under  FOIA.  The  Aviation  and  Transportation 
Security  Act  of  2001  (ATSA);  the  Critical  Infrastructure  Information  Act  of  2002  in 
section  214  of  the  Homeland  Security  Act  of  2002;  the  Maritime  Transportation 
Security  Act  of  2002  (MTSA);  and  the  Safe  Drinking  Water  Act  (SDWA),  as 
amended  by  the  Public  Health  Security  and  Bioterrorism  Preparedness  and  Response 
Act  of  2002,  exempt  certain  types  of  security-related  information  from  disclosure 
under  the  Freedom  of  Information  Act.  These  statutes  are  examples  of  what  are 
referred  to  as  FOIA  exemption  3  statutes;  separate  federal  statutes  prohibiting  the 
disclosure  of  a  certain  type  of  information  and  authorizing  its  withholding  under 
FOIA  subsection  (b)(3). 

This  report  describes  the  current  state  of  the  law  with  regard  to  the  protection 
of  security-related  information.  The  protection  of  security-related  information  has 
developed  from  a  series  of  laws,  regulations,  and  executive  orders.  This  report  does 
not  apply  to  the  maintenance,  safeguarding,  or  disclosure  of  classified  national 
security  information.1 

The  Freedom  of  Information  Act  (FOIA) 

The  Freedom  of  Information  Act  (FOIA)  applies  to  records  held  by  agencies  of 
the  executive  branch  of  the  federal  government  and  regulates  the  disclosure  of 
government  information.2  The  FOIA  requires  agencies  to  publish  in  the  Federal 
Register  certain  records,  and  to  make  other  records  available  for  public  inspection 


1  For  information  on  national  security  information,  see  CRS  Report  RL33502,  Protection 
of  National  Security  Information,  by  Jennifer  K.  Elsea;  see  also,  Christina  E.  Wells, 
National  Security  Information  and  the  Freedom  of  Information  Act,  56  ADMIN.  L.  Rev.  1195 
(2004). 

25U.S.C.  §552  etseq. 


CRS-2 


and  copying.3  With  the  exception  of  three  special  categories  of  law 
enforcement-related  records  that  are  entirely  excluded  from  the  coverage  of  the  FOIA 
and  records  already  made  available  for  publication  or  inspection,  all  other  federal 
agency  records  may  be  requested  under  the  FOIA.4  That  records  are  potentially 


3  5  U.S.C.  §  552(a)(l)-(2)  provides: 

(a)  Each  agency  shall  make  available  to  the  public  information  as  follows: 

(1)  Each  agency  shall  separately  state  and  currently  publish  in  the  Federal 
Register  for  the  guidance  of  the  public  — 

(A)  descriptions  of  its  central  and  field  organization  and  the  established  places 
at  which,  the  employees  (and  in  the  case  of  a  uniformed  service,  the  members) 
from  whom,  and  the  methods  whereby,  the  public  may  obtain  information,  make 
submittals  or  requests,  or  obtain  decisions; 

(B)  statements  of  the  general  course  and  method  by  which  its  functions  are 
channeled  and  determined,  including  the  nature  and  requirements  of  all  formal 
and  informal  procedures  available; 

(C)  rules  of  procedure,  descriptions  of  forms  available  or  the  places  at  which 
forms  may  be  obtained,  and  instructions  as  to  the  scope  and  contents  of  all 
papers,  reports,  or  examinations; 

(D)  substantive  rules  of  general  applicability  adopted  as  authorized  by  law,  and 
statements  of  general  policy  or  interpretations  of  general  applicability  formulated 
and  adopted  by  the  agency;  and 

(E)  each  amendment,  revision,  or  repeal  of  the  foregoing . 

(2)  Each  agency,  in  accordance  with  published  rules,  shall  make  available  for 
public  inspection  and  copying  — 

(A)  final  opinions,  including  concurring  and  dissenting  opinions,  as  well  as 
orders,  made  in  the  adjudication  of  cases; 

(B)  those  statements  of  policy  and  interpretations  which  have  been  adopted  by 
the  agency  and  are  not  published  in  the  Federal  Register; 

(C)  administrative  staff  manuals  and  instructions  to  staff  that  affect  a  member  of 
the  public; 

(D)  copies  of  all  records,  regardless  of  form  or  format,  which  have  been  released 
to  any  person  under  paragraph  (3)  and  which,  because  of  the  nature  of  their 
subject  matter,  the  agency  determines  have  become  or  are  likely  to  become  the 
subject  of  subsequent  requests  for  substantially  the  same  records;  and 

(E)  a  general  index  of  the  records  referred  to  under  subparagraph  (D); 
unless  the  materials  are  promptly  published  and  copies  offered  for  sale. 

4  5  U.S.C.  §  552(a)(3)  and  (E)  provides: 

(3) (A)  Except  with  respect  to  the  records  made  available  under  paragraphs  (1) 
and  (2)  of  this  subsection,  and  except  as  provided  in  subparagraph  (E),  each 
agency,  upon  any  request  for  records  which 

(i)  reasonably  describes  such  records  and 

(ii)  is  made  in  accordance  with  published  rules  stating  the  time,  place,  fees  (if 
any),  and  procedures  to  be  followed,  shall  make  the  records  promptly  available 
to  any  person. 

(E)  An  agency,  or  part  of  an  agency,  that  is  an  element  of  the  intelligence 
community  (as  that  term  is  defined  in  section  3(4)  of  the  National  Security  Act 
of  1947  (50  U.S.C.  401a  (4)))  shall  not  make  any  record  available  under  this 
paragraph  to  — 


(continued...) 


CRS-3 


subject  to  FOIA  requests  does  not  mean  they  necessarily  will  be  disclosed.  Nine 
categories  of  information  may  be  exempted  from  mandatory  disclosure.5  The 
exemptions  permit,  rather  than  require,  the  withholding  of  the  requested  information. 
Records  that  are  not  exempt  under  one  or  more  of  the  Act’s  nine  exemptions  must 
be  disclosed.  If  a  record  contains  some  exempt  material,  any  reasonably  segregable 
portion  of  the  record  must  be  provided  to  any  person  requesting  such  record  after 


4  (...continued) 

(i)  any  government  entity,  other  than  a  State,  territory,  commonwealth,  or  district 
of  the  United  States,  or  any  subdivision  thereof;  or 

(ii)  a  representative  of  a  government  entity  described  in  clause  (i). 

5  5  U.S.C.  §  552(b)  provides: 

(b)  This  section  does  not  apply  to  matters  that  are  — 

(1)  (A)  specifically  authorized  under  criteria  established  by  an  Executive  order 
to  be  kept  secret  in  the  interest  of  national  defense  or  foreign  policy  and 

(B)  are  in  fact  properly  classified  pursuant  to  such  Executive  order; 

(2)  related  solely  to  the  internal  personnel  rules  and  practices  of  an  agency; 

(3)  specifically  exempted  from  disclosure  by  statute  (other  than  section  552b  of 
this  title),  provided  that  such  statute 

(A)  requires  that  the  matters  be  withheld  from  the  public  in  such  a  manner  as  to 
leave  no  discretion  on  the  issue,  or 

(B )  establishes  particular  criteria  for  withholding  or  refers  to  particular  types  of 
matters  to  be  withheld; 

(4)  trade  secrets  and  commercial  or  financial  information  obtained  from  a  person 
and  privileged  or  confidential; 

(5)  inter-agency  or  intra-agency  memorandums  or  letters  which  would  not  be 
available  by  law  to  a  party  other  than  an  agency  in  litigation  with  the  agency; 

(6)  personnel  and  medical  files  and  similar  files  the  disclosure  of  which  would 
constitute  a  clearly  unwarranted  invasion  of  personal  privacy; 

(7)  records  or  information  compiled  for  law  enforcement  purposes,  but  only  to 
the  extent  that  the  production  of  such  law  enforcement  records  or  information 

(A)  could  reasonably  be  expected  to  interfere  with  enforcement  proceedings, 

(B )  would  deprive  a  person  of  a  right  to  a  fair  trial  or  an  impartial  adjudication, 

(C)  could  reasonably  be  expected  to  constitute  an  unwarranted  invasion  of 
personal  privacy, 

(D)  could  reasonably  be  expected  to  disclose  the  identity  of  a  confidential  source, 
including  a  State,  local,  or  foreign  agency  or  authority  or  any  private  institution 
which  furnished  information  on  a  confidential  basis,  and,  in  the  case  of  a  record 
or  information  compiled  by  criminal  law  enforcement  authority  in  the  course  of 
a  criminal  investigation  or  by  an  agency  conducting  a  lawful  national  security 
intelligence  investigation,  information  furnished  by  a  confidential  source, 

(E)  would  disclose  techniques  and  procedures  for  law  enforcement  investigations 
or  prosecutions,  or  would  disclose  guidelines  for  law  enforcement  investigations 
or  prosecutions  if  such  disclosure  could  reasonably  be  expected  to  risk 
circumvention  of  the  law,  or 

(F)  could  reasonably  be  expected  to  endanger  the  life  or  physical  safety  of  any 
individual; 

(8)  contained  in  or  related  to  examination,  operating,  or  condition  reports 
prepared  by,  on  behalf  of,  or  for  the  use  of  an  agency  responsible  for  the 
regulation  or  supervision  of  financial  institutions;  or 

(9)  geological  and  geophysical  information  and  data,  including  maps,  concerning 
wells. 


CRS-4 


deletion  of  the  portions  which  are  exempt.  Disputes  over  access  to  requested  records 
may  be  reviewed  in  federal  court  to  enjoin  the  agency  from  withholding  agency 
records  and  to  order  the  production  of  any  agency  records  improperly  withheld.  The 
court  shall  determine  the  matter  de  novo,  and  may  examine  the  contents  of  such 
agency  records  in  camera.  The  burden  is  on  the  agency  to  sustain  its  action.6 

On  December  14,  2005,  the  President  issued  Executive  Order  13392,  entitled 
“Improving  Agency  Disclosure  of  Information,”  and  which  contains  several 
statements  of  FOIA  policy  and  specific  planning  and  reporting  requirements  for 
federal  agencies.  Executive  Order  13392  directs  federal  agencies  to  improve  their 
FOIA  operations  and  designates  a  Chief  FOIA  Officer  for  each  agency’s 
administration  of  the  FOIA.7 

Exemption  4  —  Commercial  or  Financial  Information. 

One  possible  means  of  shielding  security-related  information  is  exemption  4. 
Exemption  4  of  FOIA  exempts  from  disclosure  “trade  secrets  and  commercial  or 
financial  information  obtained  from  a  person  and  privileged  or  confidential.”8  Most 
exemption  4  cases  have  involved  a  dispute  over  whether  the  requested  information 
was  “confidential.”9 

In  1974,  the  D.C.  Circuit  in  National  Parks  and  Conservation  Association  v. 
Morton ,10  enunciated  a  two-part  confidentiality  test  for  commercial  information:  “if 
disclosure  of  the  information  is  likely  to  either  impair  the  government’s  ability  to 
obtain  necessary  information  in  the  future;  or  to  cause  substantial  harm  to  the 
competitive  position  of  the  person  from  whom  the  information  was  obtained,”  the 
commercial  information  will  be  treated  as  confidential.11  In  1992,  in  Critical  Mass 
Energy  Project  v.  NRC ,12  the  D.C.  Circuit  limited  the  scope  and  application  of 


6  5  U.S.C.  §  552(4)(b)  (2000). 

7  E.O.  No.  13392. 

8  5  U.S.C.  §  552(b)(4). 

9  Federal  agencies  are  required  to  establish  procedures  to  notify  submitters  of  confidential 
commercial  information  whenever  an  agency  “determines  that  it  may  be  required  to 
disclose”  such  information  under  the  FOIA.  The  submitter  is  provided  an  opportunity  to 
submit  objections  to  the  proposed  disclosure.  If  the  agency  decides  to  release  the 
information  over  the  objections  of  the  submitter,  the  submitter  may  seek  judicial  review  of 
the  propriety  of  the  release,  and  the  courts  will  entertain  a  “reverse  FOIA”  suit  to  consider 
the  confidentiality  rights  of  the  submitter.  E.O.  12600,  3  C.F.R.  235  (1988),  reprinted  in 
5  U.S.C.  §  552  note. 

10  498  F.2d  765  (D.C.  Cir.  1974). 

"  Id.  at  770. 

12  975  F.2d  871,  879-80  (D.C.  Cir.  1992)  (en  banc )  (“ Critical  Mass  //”),  cert,  denied ,  113 
S .  Ct.  1579  (1993)  (The  plaintiff  was  seeking  reports  which  a  utility  industry  group  prepared 
and  gave  voluntarily  to  the  NRC.  The  agency  did,  however,  have  the  authority  to  compel 
submission.  Applying  the  customary  treatment  test  to  the  utility  industry  group  reports 
voluntarily  submitted  to  the  government,  the  D.C.  Circuit  agreed  with  the  district  court’s 

(continued...) 


CRS-5 


National  Parks  to  cases  in  which  a  FOIA  request  is  made  for  commercial  or  financial 
information  which  is  required  to  be  furnished  to  the  Government.13  The  court 
established  a  new  test  of  confidentiality  for  information  submitted  voluntarily,  under 
which  information  is  exempt  from  disclosure  if  the  submitter  can  show  that  it  does 
not  customarily  release  the  information  to  the  public.14  The  burden  of  establishing 
the  submitter’s  custom  remains  with  the  agency  seeking  to  withhold  the  record.15 

A  number  of  lower  federal  courts  have  applied  the  Critical  Mass  distinction 
between  voluntary  and  required  submissions.16  Nonetheless,  Critical  Mass  has  not 
been  widely  adopted  by  the  other  circuits.17 

Whether  submission  of  a  vulnerability  assessment  or  a  site  security  plan  is 
voluntary  or  required  will  determine  the  level  of  protection  afforded  the  information 
under  exemption  4.  Because  an  absolute  prohibition  on  the  disclosure  of  commercial 
or  financial  information  does  not  exist  under  exemption  4, 18  separate  confidentiality 


12  (...continued) 

conclusion  that  the  reports  were  commercial;  that  they  were  provided  to  the  agency  on  a 
voluntary  basis;  and  that  the  submitter  did  not  customarily  release  them  to  the  public.  Thus, 
the  reports  were  found  to  be  confidential  and  exempt  from  disclosure  under  exemption  4.) 

13  Id.  at  880. 

14  Id.  at  879. 

15  The  Department  of  Justice  has  issued  policy  guidance  on  the  distinction  between 
information  required  and  information  voluntarily  submitted  under  Critical  Mass.  See  FOIA 
Update,  Vol.  XIV,  No.  2,  at  3-5  (“OIP  Guidance:  The  Critical  Mass  Distinction  Under 
Exemption  4”). 

16  See,  e.g.,  Lykes  v.  Bros.  S.S.  v.  Pena,  No.  92-2780,  slip  op.  at  8-11  (D.D.C.  Sept.  2, 
1993)(“under  Critical  Mass,  submissions  that  are  required  to  realize  the  benefits  of  a 
voluntary  program  are  to  be  considered  mandatory”);  Lee  v.  FDIC,  923  F.  Supp.  451,  454 
(S.D.N.Y.  1996)(when  documents  were  “required  to  be  submitted”  in  order  to  get 
government  approval  to  merge  two  banks,  court  rejects  agency’s  attempt  to  nonetheless 
characterize  submission  as  “voluntary”);  AGS  Computers,  Inc.  v.  United  States  Dep’t  of 
Treasury,  No.  92-2714,  slip  op.  at  10  (D.N.J.  Sept.  16,  1993)(submitter’s  submission  of 
documents  to  agency  during  a  meeting  was  done  voluntarily  because  there  was  no 
“controlling  statute,  regulation,  or  written  order”);  Center  for  Auto  Safety  v.  National 
Highway  Traffic  Safety  Admin.,  93  F.  Supp.2d  1  (D.D.C.  Feb.  28,  2000),  remanded  by 
Center  for  Auto  Safety  v.  National  Highway  Traffic  Safety  Admin. ,  244  F.3d  144  (D.C.Cir. 
Mar.  30, 2001)(information  on  airbag  systems  submitted  in  response  to  agency’s  request  was 
a  voluntary  submission  because  agency  lacked  legal  authority  to  enforce  its  request  for 
information). 

17  The  Tenth  Circuit  adopted  the  Critical  Mass  distinction  between  voluntary  and 
involuntary  submissions  in  Utah  v.  U.S.  Dep’t  of  Interior,  256  F.3d  967,  969  (10lh  Cir. 
2001);  see  also  U.S.  Department  of  Justice,  FREEDOM  OF  INFORMATION  Act  GUIDE  AND 
PRIVACY  Act  OVERVIEW  at  284-304  (discussing  cases),  available  at 
[http://www.justice.gov/o4foia/foi-act.htm. 

18  Some  representatives  of  potential  confidential  business  information  submitters  have 
expressed  concerns  about  the  discretionary  nature  of  exemption  4  because  an  agency  may 
choose  to  withhold  information  but  is  not  required  to  do  so.  See  James  W.  Conrad, 

(continued...) 


CRS-6 


protections  have  been  created  for  certain  types  of  security-related  information  under 
other  federal  statutes.  Often  the  security-related  statutes  discussed  herein 
differentiate  between  “required”  and  “voluntary”  submission.  For  example,  the 
Maritime  Transportation  Security  Act  (MTSA)  and  the  Safe  Drinking  Water  Act 
(SDWA)  require  covered  entities  to  submit  information  to  the  federal  government. 
The  Critical  Infrastructure  Information  Act  (CIIA)  provides  confidentiality 
protections  for  critical  infrastructure  information  voluntarily  submitted  to  DHS .  The 
regulations  for  sensitive  security  information  issued  pursuant  to  the  Aviation  and 
Transportation  Security  Act  (ATSA)  designate  16  categories  of  sensitive  security 
information,  and  include  information  submitted  pursuant  to  a  requirement  and 
information  voluntarily  submitted.  These  statutes  are  examples  of  what  are  referred 
to  as  a  FOIA  exemption  3  statutes;  that  is,  separate  federal  statutes  prohibiting  the 
disclosure  of  a  certain  type  of  information  and  authorizing  its  withholding  under 
FOIA  subsection  (b)(3). 

Exemption  3  —  Information  Protected  By  Other  Statutes.  FOIA 
subsection  (b)(3),  commonly  referred  to  as  exemption  3,  permits  agencies  to  withhold 
information  under  FOIA  that  is  specifically  prohibited  from  disclosure  by  other 
federal  statutes  with  certain  characteristics.19 

Special  circumstances  warrant  special  decisions  about  confidential  status,  and 
Congress  is  free  to  define  what  must  and  what  can  be  withheld  by  laws  that 
integrate  with  this  exemption,  a  sort  of  catch-all  provision  to  the  Freedom  of 
Information  Act.  Congress  recognized  that  some  situations  simply  do  not  fit  the 
general  mold  of  FOIA  releases  of  agency  records  to  any  requester.  This  third 
exemption  establishes  an  open-ended  set  of  documents  which  have  previously 
been  mandated  to  be  confidential  or  for  which  Congress  has  made  specific 
provision  for  confidentiality.  It  is  Congress,  not  the  agency,  which  makes  the 
secrecy  decision  under  this  exemption.20 

For  a  nondisclosure  provision  in  a  separate  federal  statute  to  qualify  for 
exemption  3  status,  the  nondisclosure  provision  must  meet  one  or  two  of  the  criteria: 
either  the  statute  must  require  that  matters  be  withheld  from  the  public  in  such  a 
manner  as  to  leave  no  discretion  on  the  issue,  or  establish  particular  criteria  for 
withholding  or  refer  to  particular  types  of  matters  to  be  withheld.21  If  the  statute 
meets  the  criteria  of  exemption  3  of  FOIA  and  the  information  to  be  withheld  falls 


18  (...continued) 

Protecting  Private  Security-Related  Information  From  Disclosure  By  Government  Agencies, 
57  Admin.  L.  Rev.  715,  730-732  (2005). 

19  5  U.S.C.  §  552(b)(3)  provides 

Information  may  be  withheld  under  an  Exemption  3  statute  when  that  statute 
either  “(A)  requires  that  matters  be  withheld  from  the  public  in  such  a  manner  as 
to  leave  no  discretion  on  the  issue,  or  (B)  establishes  particular  criteria  for 
withholding  or  refers  to  particular  types  of  matters  to  be  withheld.” 

20  James.  T.  O’Reilly,  FEDERAL  INFORMATION  DISCLOSURE  §  13.1  (3d.  ed.  2000). 

21  5  U.S.C.  §  552(b)(3). 


CRS-7 


within  the  scope  and  coverage  of  that  statute,  the  information  is  properly  exempt 
from  disclosure  under  exemption  3  of  FOIA. 

To  withhold  a  document  under  exemption  3,  the  agency  bears  the  burden  of 
demonstrating  that  the  statute  either  requires  that  the  document  or  documents  be 
withheld  without  agency  discretion22  or  specifically  authorizes  the  agency  to  use 
discretion  to  withhold  that  type  of  document.23  The  scope  of  the  statute  must  be 
examined  by  a  reviewing  court  to  determine  whether  it  qualifies  as  a  withholding 
statute.  Basic  principles  of  statutory  construction  are  to  be  used  to  determine 
exemption  3  status.24  When  resolving  an  ambiguity  about  the  proper  interpretation 
of  a  specific  statute  under  exemption  3,  the  Chevron 25  rule  of  judicial  deference 
applies  to  the  agency’s  interpretation  of  the  statute  it  administers.26  Substantial 
weight  is  to  be  given  to  an  agency’s  claim  of  exemption  3  status. 

The  first  subpart  of  exemption  3  —  subpart  (A)  —  is  often  referred  to  as  the  “no 
discretionary  release”  category.27  To  satisfy  this  requirement,  the  statute’s  language 
to  withhold  must  be  absolute  —  for  example,  stating  that  the  information  “shall  not 
be  disclosed.”  To  withhold  a  document  under  subpart  (A)  of  exemption  (b)(3),  the 
agency  must  show  that  the  document  is  collected  or  generated  under  the  agency’s 
statutory  authority,  and  that  the  statute  contained  a  mandate  that  this  type  of 
information  not  be  disclosed.  For  example,  the  Supreme  Court  found  no  discretion 
within  the  Census  Act’s  prohibition  against  disclosure  of  census  records.28 

Subpart  (B)  of  exemption  (b)(3),  commonly  referred  to  as  the  “particular 
criteria”  category,  permits  agency  discretion  on  whether  to  withhold  or  disclose 
agency  records.29  Under  subpart  (B),  an  agency  has  the  discretion  to  disclose  if  it  so 
chooses  but  also  has  authority  (explicit  or  implicit)  to  withhold.  The  statute  must 
establish  particular  criteria  for  withholding  or  refer  to  particular  types  of  matters  to 
be  withheld.  To  qualify  under  subpart  (B),  the  statute  must  provide  articulable 
criteria  for  the  agency  to  use  to  determine  whether  to  permit  disclosure.  The 
Supreme  Court  looks  for  “sufficiently  definite  standards”  in  a  statute  rather  than 
“broad  discretion.”30  The  degree  to  which  Congress  has  specified  the  agency’s 
discretion  in  the  statute  is  important.  A  court  must  examine  the  underlying 


22  See  American  Jewish  Congress  v.  Kreps,  574  F.2d  624  (D.C.  Cir.  1978);  see  also  Lee 
Pharmaceuticals  v.  Kreps,  577  F.2d  610  (9th  Cir.  1978). 

23  See  American  Jewish  Congress  v.  Kreps,  574  F.2d  624  (D.C.  Cir.  1978). 

24  See  CRS  Report  97-589,  Statutory  In  terpretation:  General  Principles  and  Recent  Trends, 
by  George  Costello. 

25  Chevron,  U.S.A.,  Inc.  v.  Natural  Resources  Defense  Council,  Inc.,  467  U.S.  837  (1984). 

26  Tax  Analysts  v.  I.R.S.,  117  F.3d  607,  612  (D.C.  Cir.  1997). 

27  5  U.S.C.  A.  §  552(b)(3)(A),  “in  such  a  manner  as  to  leave  no  discretion  on  the  issue.” 

28  Baldridge  v.  Shapiro,  455  U.S.  345  (1982);  see  also  13  U.S.C.  §  214  (2000). 

29  5  U.S.C.  §  552(b)(3)(B)  “establishes  particular  criteria  for  withholding  or  refers  to 
particular  types  of  matters  to  be  withheld.” 

30  Consumer  Product  Safety  Commission  v.  GTE  Sylvania,  Inc.,  447  U.S.  102  (1980). 


CRS-8 


congressional  intent  to  exempt  material  from  FOIA  and  analyze  the  amount  of 
discretion  left  to  the  agency.  The  statute  must  be  “the  product  of  congressional 
appreciation  of  the  dangers  inherent  in  airing  particular  data  and  must  incorporate  a 
formula  whereby  the  administrator  may  determine  precisely  whether  the  disclosure 
in  any  instance  would  pose  the  hazard  that  Congress  foresaw.”31 

Numerous  statutes  have  been  held  by  courts  to  qualify  as  exemption  3  statutes 
and  agencies.32  In  addition,  agencies  often  rely  on  statutes  as  a  basis  for  exemption 
3  withholding  in  the  absence  of  a  judicial  determination  that  the  statute  qualifies  as 
an  exemption  3  withholding  statute.33  Congress  has  increasingly  enacted  exemption 
3  statutes  containing  disclosure  prohibitions  that  are  specifically  directed  toward  the 
Freedom  of  Information  Act  (FOIA).34  The  following  are  summaries  of  selected 
exemption  3  statutes  applied  by  various  agencies  that  may  be  relevant  to  the 
protection  of  security-related  information  and  that  contain  legal  authorities  or 


31  Sciba  v.  Board  of  Governor  of  Federal  Reserve  System ,  2005  WL  758260  (D.D.C.  2005), 
(quoting  Wisconsin  Project  on  Nuclear  Arms  Control  v.  U.S.  Dept,  of  Commerce,  317  F.  3d 
275, 280  (D.C.  Cir.  2003);  American  Jewish  Congress  v.  Kreps,  574  F.2d  624,  628-29  (D.C. 
Cir.  1978);  Whalen  v.  U.S.  Marine  Corps,  2005  WL  736536  (D.D.C.  2005)). 

32  See  13  U.S. C.  §§  8(b)  and  9(a)  (prohibits  use  of  Census  Act  data  for  secondary  purposes); 
Fed.  R.  Crim.  P.  6(e),  requires  secrecy  for  grand  jury  matters;  50  U.S.C.  §  403-3(l)(5) 
protects  CIA  intelligence  sources  and  methods;  26  U.S.C.  §  6 103,  controls  income  tax  return 
information;  35  U.S.C.  §  122,  prohibits  disclosure  of  patent  applications;  50  U.S.C.  §  402, 
exempts  from  disclosure  the  organization  or  function  of  the  National  Security  Agency;  15 
U.S.C.  §  2055(b)(1)  governs  the  disclosure  of  information  submitted  to  the  Consumer 
Product  Safety  Commission;  42  U.S.C.  §  2000e-8(e)  of  the  Civil  Rights  Act  of  1964 
prohibits  the  disclosure  of  information  reported  to  the  Equal  Employment  Opportunity 
Commission. 

33  Department  of  Justice,  Agencies  Rely  on  Wide  Range  of  Exemption  3  Statutes,  FOIA  Post 
(2003),  available  at,  [http://www.usdoj.gov/oip/foiapost/2003foiapost41.htm], 

34  See,  e.g.,  P.L.  107-296,  §  214(a)(1)(A),  116  Stat.  2135  (2002)  (prohibiting  FOIA 
disclosure  of  critical  infrastructure  information  voluntarily  submitted  to  federal  government 
for  homeland  security  purposes)  (enacted  Nov.  25,  2002);  39  U.S.C.  §  3016(d)(barring 
FOIA  disclosure  of  documentary  material  provided  pursuant  to  subpoena  issued  under 
statutory  provision  pertaining  to  nonmailable  matter)  (enacted  Dec.  12,  1999);  42  U.S.C.  § 
7401  note  (prohibiting  FOIA  disclosure  of  information  submitted  to  EPA  detailing 
“worst-case  scenarios”  that  might  result  from  accidental  or  intentional  releases  of  chemicals 
or  fuels)  (enacted  Aug.  5,  1999);  16  U.S.C.  §  5937  (prohibiting  FOIA  disclosure  of 
information  pertaining  to  National  Park  System  resources  such  as  endangered  species) 
(enacted  Nov.  13,  1998);  38  U.S.C.  §  7451  (prohibiting  FOIA  disclosure  of  certain 
information  collected  by  Department  of  Veterans  Affairs  in  surveys  of  rates  of 
compensation)  (enacted  Aug.  15,  1990);  42  U.S.C.  §  7412  (prohibiting  FOIA  disclosure  of 
certain  information  acquired  under  Clean  Air  Act,  42  U.S.C.  §  7412,  if  such  information 
would  pose  threat  to  national  security)  (enacted  Aug.  5,  1999);  31  U.S.C.  §  3729 
(prohibiting  FOIA  disclosure  of  certain  information  furnished  pursuant  to  False  Claims  Act, 
31  U.S.C.  §  3729)  (enacted  Oct.  27,  1986);  31  U.S.C.  §  5319  (preventing  FOIA  disclosure 
of  Currency  Transaction  Reports)  (enacted  Sept.  13,  1982);  15  U.S.C.  §  57b-2(f) 
(prohibiting  FOIA  disclosure  of  information  received  by  FTC  for  investigative  purposes) 
(enacted  May  28, 1980);  15U.S.C.  §  1314(g)  proscribing  FOIA  disclosure  of  certain  records 
gathered  in  course  of  investigations  under  Antitrust  Civil  Process  Act  (enacted  Sept.  30, 
1976)). 


CRS-9 


requirements  regarding  non-disclosure  of  information  developed  or  obtained  in 
accordance  with  those  Acts. 

The  Electronic  Freedom  of  Information  Act  Amendments  of  1996  require 
agencies  to  list  the  exemption  3  statutes  upon  which  they  rely  in  their  annual  FOIA 
reports,  and  include  a  description  of  whether  a  court  has  upheld  the  agency’ s  decision 
to  withhold  information  under  such  statute.35  An  examination  of  exemption  3 
statutes  applied  by  DHS  components  throughout  FY2004  reveals  that  several  non¬ 
disclosure  provisions  are  relied  on  to  withhold  security-related  information.36  These 
exemption  (b)(3)  statutes  include  non-disclosure  provisions  for  critical  infrastructure 
information,37  the  prohibition  on  release  of  all  information  contained  in  maritime 
industry  vulnerability  assessments,38  the  prohibition  on  release  of  all  information 
contained  in  maritime  security  plans,39  and  a  provision  governing  the  non-disclosure 
of  transportation  security  activities.40  The  Environmental  Protection  Agency  cites  a 
provision  of  the  Safe  Drinking  Water  Act41  as  authority  to  withhold  vulnerability 
assessments  from  community  water  systems  under  exemption  3. 42 

The  Maritime  Transportation  Security  Act  of  2002  (MTS A).4*  An 

exemption  3  statute  administered  by  the  U.S.  Coast  Guard,  The  MTSA  requires  ports 
and  facilities  located  within  ports  to  perform  vulnerability  assessments  and  develop 
security  plans.  The  MTSA  requires  “an  owner  or  operator  of  a  vessel  or  facility  ... 
[to]  prepare  and  submit  to  the  Secretary  a  security  plan  for  the  vessel  or  facility.”44 
The  reach  of  this  requirement  can  be  quite  broad.  For  example,  because  ports  are 
often  the  location  of  chemical  facilities,  such  as  petroleum  refineries,  some  chemical 
facilities  must  comply  with  MTSA.45  The  MTSA  provides  that  information 
developed  under  this  statute  is  not  required  to  be  disclosed  to  the  public.46  Covered 
information  includes  “facility  security  plans,  vessel  security  plans,  and  port 


35  P.L.  104-231,  5  U.S.C.  §  552(e)(l)(B)(ii)). 

36  Department  of  Homeland  Security  Privacy  Office,  2005  Annual  Freedom  of  Information 
Act  Report  to  the  Attorney  General  of  the  United  States:  October  1  -  September  30,  2005, 
8,  available  at,  [http://www.dhs.gov/interweb/assetlibrary/privacy_rpt_foia_2005.pdf]. 

37  6  U.S.C.  §  133. 

38  46  U.S.C.  §  1 1 14(s). 

39  46  U.S.C.  §  70103. 

40  49  U.S.C.  §  1 14(s). 

41  42  U.S.C.  §  1433  (a)(3). 

42  Environmental  Protection  Agency,  FY2004  Annual  Freedom  of  Information  Report,  5, 
available  at  [http://www.epa.gov/foia/docs/2004report.pdf]. 

43  Homeland  Security  Act  of  2002,  P.F.  107-295. 

44  46  U.S.C.  §  70103(c)(1). 

45  See  CRS  Report  RF33043,  Legislative  Approaches  to  Chemical  Facility  Security,  by  Dana 
A.  Shea. 

46  46  U.S.C.  §  70103(d)  (stating  that  “[notwithstanding  any  other  provision  of  law, 
information  developed  under  this  chapter  is  not  required  to  be  disclosed  to  the  public  ...  “). 


CRS-10 


vulnerability  assessment;  and  ...  other  information  related  to  security  plans, 
procedures,  or  programs  for  vessels  or  facilities  authorized  under  this  chapter.”47 

The  Aviation  and  Transportation  Security  Act  2001  (ATSA).  The 

ATS  A  transferred  to  the  Transportation  Security  Administration  (TS  A)  responsibility 
for  protection  of  certain  information  vital  to  transportation  security.48  ATSA 
provides  that  “notwithstanding  section  552  of  title  5  and  the  establishment  of  a 
Department  of  Homeland  Security,  the  Secretary  of  Transportation  shall  prescribe 
regulations  prohibiting  disclosure  of  information  obtained  or  developed  in  ensuring 
security  under  this  title  if  the  Secretary  of  Transportation  decides  disclosing  the 
information  would  -  (A)  be  an  unwarranted  invasion  of  personal  privacy;  (B)  reveal 
a  trade  secret  or  privileged  or  confidential  commercial  or  financial  information;  or 
(C)  be  detrimental  to  transportation  safety.”49  The  Secretary  of  Transportation  issued 
regulations  covering  the  disclosure  of  a  category  of  information  labeled  sensitive 
security  information  (SSI).50 

The  Safe  Drinking  Water  Act  (SDWA).  The  SDWA,  as  amended  by  the 
Public  Health  Security  and  Bioterrorism  Preparedness  and  Response  Act  of  2002, 51 
among  other  things  requires  community  water  systems  to  perform  vulnerability 
analyses  of  their  facilities  and  includes  protections  for  vulnerability  assessments.52 
Community  water  systems  are  required  to  certify  to  EPA  that  they  have  conducted 
a  vulnerability  assessment,  and  to  submit  a  copy  of  the  assessment  to  EPA.  The 
SDWA  requires  that  “(2)  each  community  water  system  ...  [shall]  certify  to  the 
Administrator  that  the  system  has  conducted  an  assessment ...  and  shall  submit  to  the 
Administrator  a  written  copy  of  the  assessment.”53  The  SDWA  provides  that  “all 
information  provided  to  the  Administrator  [of  the  EPA]  under  this  subsection  and  all 
information  derived  therefrom  shall  be  exempt  from  disclosure  under  section  552  of 
Title  5.”54 


47  Id. ;  see  also  infra,  notes  99-106  and  accompanying  text. 

48  Aviation  and  Transportation  Security  Act,  P.L.  107-71,  §101  (e)(3),  115  Stat.  597,  603 
(2001)  (codified  at  49  U.S.C.  §  40119  (2001)).  The  D.C.  Circuit  has  held  that  this 
provision  of  the  Federal  Aviation  Act  relating  to  security  data  the  disclosure  of  which  would 
be  detrimental  to  the  safety  of  travelers  shields  that  particular  data  from  disclosure  under  the 
FOIA.  Pub.  Citizen ,  Inc.  v.  FAA,  988  F.2d  186,  194  (D.C.  Cir.  1993). 

49  See  CRS  Report  RL33512,  Transportation  Security:  Issues  for  the  109th  Congress, 
coordinated  by  David  Randall  Peterman. 

50  49  C.F.R.  Part  1520;  see  also  infra,  notes  93-98  and  accompanying  text. 

51  P.L.  107-188,  42  U.S.C.  §  300i-2. 

52  See  CRS  Report  RL31294,  Safeguarding  the  Nation  ’s  Drinking  Water:  EPA  and 
Congressional  Actions,  by  Mary  Tiemann. 

53  42  U.S.C.  §  300i-2(a)(2). 

54  42  U.S.C.  §  300i-2(a)(3). 


CRS-11 


Critical  Infrastructure  Information  Act  of  2002  (CIIA) 

The  “Critical  Infrastructure  Information  Act  of  2002,”  (“CIIA”)  is  found  in 
Subtitle  B  of  Title  II  of  the  Homeland  Security  Act  of  2002.55  CIIA  consists  of  a 
group  of  provisions  that  address  the  circumstances  under  which  the  Department  of 
Homeland  Security  may  obtain,  use,  and  disclose  critical  infrastructure  information 
as  part  of  a  critical  infrastructure  protection  program.  The  CIIA  was  enacted,  in  part, 
to  respond  to  the  need  for  the  federal  government  and  owners  and  operators  of  the 
nation’s  critical  infrastructures  to  share  information  on  vulnerabilities  and  threats, 
and  to  promote  information  sharing  between  the  private  and  public  sectors  in  order 
to  protect  critical  assets.  CIIA  establishes  several  limitations  on  the  disclosure  of 
critical  infrastructure  information  voluntarily  submitted  to  DHS. 

Definitions. 

The  CIIA  includes  4  key  definitions:  critical  infrastructure  information;  covered 
federal  agency;  voluntary;  and  express  statement.  Another  key  definition,  critical 
infrastructure,  is  defined  elsewhere  in  the  Homeland  Security  Act. 

The  most  important  definition  in  CIIA  is  that  of  “critical  infrastructure 
information”  because  the  CIIA  protections  are  triggered  only  for  such  information. 
Critical  infrastructures  are  defined  elsewhere  in  the  Homeland  Security  Act  as 
“systems  and  assets,  whether  physical  or  virtual,  so  vital  to  the  United  States  that  the 
incapacity  or  destruction  of  such  systems  and  assets  would  have  a  debilitating  impact 
on  security,  national  economic  security,  national  public  health  or  safety,  or  any 
combination  of  these  matters.”56  This  definition  is  viewed  as  a  broad  catch-all 
provision  likely  to  cover  a  wide  array  of  activities. 

Critical  infrastructure  information  is  defined  as  “information  not  customarily 
in  the  public  domain  and  related  to  the  security  of  critical  infrastructure  or  protected 
systems  — 

(A)  actual,  potential,  or  threatened  interference  with,  attack  on,  compromise  of, 
or  incapacitation  of  critical  infrastructure  or  protected  systems  by  either  physical 
or  computer-based  attack  or  other  similar  conduct  (including  misuse  of  or 
unauthorized  access  to  all  types  of  communications  and  data  transmission 
systems)  that  violates  federal,  state,  or  local  law,  harms  interstate  commerce  of 
the  United  States,  or  threatens  public  health  and  safety; 

(B)  the  ability  of  critical  infrastructure  or  protected  systems  to  resist  such 
interference,  compromise,  or  incapacitation,  including  any  planned  or  past 
assessment,  projection  or  estimate  of  the  vulnerability  of  critical  infrastructure 
or  a  protected  system,  including  security  testing,  risk  evaluation  thereto,  risk 
management  planning,  or  risk  audit;  or, 

(C)  any  planned  or  past  operational  problem  or  solution  regarding  critical 
infrastructure  ...  including  repair,  recovery,  reconstruction,  insurance,  or 


55  Homeland  Security  Act  of  2002,  P.L.  107-296,  §§  211-215  116  Stat.  2135  (2002). 

56  P.L.  107-56,  §  1016(e),  42  U.S.C.  5195(e). 


CRS-12 


continuity  to  the  extent  it  relates  to  such  interference,  compromise,  or 

incapacitation.57 

This  definition  covers  a  wide  range  of  information  and  is  further  expanded  by 
reference  to  the  statutory  definition  of  critical  infrastructure  from  the  USA  PATRIOT 
Act.58 

A  covered  federal  agency  is  defined  by  the  CIIA  as  the  Department  of  Homeland 
Security.59 

The  term  “voluntary”  with  respect  to  the  submittal  of  critical  infrastructure 
information  to  a  covered  federal  agency  means  “the  submittal  thereof  in  the  absence 
of  such  agency’s  exercise  of  legal  authority  to  compel  access  or  submission  of  such 
information  and  may  be  accomplished  by  a  single  entity  or  an  Information  Sharing 
and  Analysis  Organization  on  behalf  of  itself  or  its  members.”60  In  addition,  the 
definition  of  voluntary  includes  a  critical  exclusion.  A  voluntary  submission  to  DHS 
does  not  include  filings  that  were  also  made  with  the  Securities  and  Exchange 
Commission  or  Federal  banking  regulators,  statements  made  pursuant  to  the  sale  of 
securities,  or  information  or  statements  submitted  or  relied  upon  as  a  basis  for 
making  licensing  or  permitting  determinations,  or  during  regulatory  proceedings. 
Consequently,  information  falling  within  the  exclusion  would  not  be  protected  from 
disclosure. 

In  order  to  obtain  the  protections  of  the  CIIA,  the  submission  must  be 
accompanied  by  an  express  statement  of  expectation  of  protection  from  disclosure. 
In  the  case  of  written  information  or  records,  this  means  a  written  marking  on  the 
information  or  records  similar  to  “This  information  is  voluntarily  submitted  to  the 
Federal  Government  in  expectation  of  protection  from  disclosure  as  provided  by  the 
provisions  of  the  Critical  Infrastructure  Information  Act  of  2002.”  In  the  case  of  oral 
information,  CIIA  requires  the  submission  of  a  similar  written  statement  within  a 
reasonable  time  period  following  the  oral  communication.61 

Protected  Critical  Infrastructure  Information  (PCII). 

Section  214  of  the  CIIA  is  entitled  “Protection  of  Voluntarily  Shared  Critical 
Infrastructure  Information.”  The  section  establishes  several  protections  for  critical 
infrastructure  information  voluntarily  submitted  to  the  Department  of  Homeland 
Security  for  use  regarding  the  security  of  critical  infrastructures  and  protected 
systems  and  for  other  purposes  when  such  information  is  accompanied  by  an  express 
statement  to  the  effect  that  the  information  is  voluntarily  submitted  to  the  federal 


57  P.L.  107-296,  §212(3). 

58  See  the  “Issues  and  Concerns”  section  of  CRS  Report  RL31547,  Critical  Infrastructure 
Information  Disclosure  and  Homeland  Security  by  John  Moteff  and  Gina  Marie  Stevens. 

59  P.L.  107-296,  1 16  Stat.  2135,  §  212(2);  See  also  id.  at  §  214(c)  (adding  that  the  provision 
does  not  apply  to  “independently  obtained  information”). 

60  P.L.  107-296,  §212(7). 

61  See  id.  at  §  214(a)(2)(A)-(B) 


CRS-13 


government  in  expectation  of  protection  from  disclosure.  To  encourage  private  and 
public  sector  entities  and  persons  to  voluntarily  share  their  critical  infrastructure 
information  with  the  Department  of  Homeland  Security,  the  CIIA  includes  several 
measures  to  ensure  against  disclosure  of  protected  critical  infrastructure  information 
by  DHS. 

Freedom  of  Information  Act. 

Section  214(a)(1)  of  the  CIIA,  entitled  “In  General,”  provides: 

Notwithstanding  any  other  provision  of  law,  critical  infrastructure  information 
(including  the  identity  of  the  submitting  person  or  entity)  that  is  voluntarily 
submitted  to  a  covered  Federal  agency  for  use  by  that  agency  regarding  the 
security  of  critical  infrastructures  and  protected  systems,  analysis,  warning, 
interdependency  study,  recovery,  reconstitution,  or  other  informational  purpose, 
when  accompanied  by  an  express  statement.... 

(A)  shall  be  exempt  from  disclosure  under  section  552  of  title  5,  United  States 
Code  (commonly  referred  to  as  the  Freedom  of  Information  Act).62 

According  to  the  Department  of  Justice,  the  agency  responsible  for  administering  the 
FOIA,  section  214(a)(1)  will  operate  as  a  new  “Exemption  3  statute”63  under  FOIA. 64 
Section  214(a)(1)(A)  leaves  no  discretion  and  requires  that  critical  infrastructure 
information  voluntarily  submitted  to  the  DHS  not  be  disclosed  under  FOIA. 

Ex  Parte  Communications  in  Agency  Proceedings. 

Section  214(a)(1)(B)  of  the  CIIA  provides  that  PCII  will  not  be  subject  to 
agency  rules  or  judicial  doctrine  regarding  ex-parte  communications.  The 
Administrative  Procedure  Act  (APA)  establishes  the  rules  for  agencies  to  adhere  to 
with  respect  to  ex  parte  communications  in  agency  proceedings.65  The  APA  defines 
an  “ex  parte  communication”  as  an  “oral  or  written  communication  not  on  the  public 
record  with  respect  to  which  reasonable  prior  notice  to  all  parties  is  not  given....”66 
Section  556(e)  of  the  Administrative  Procedure  Act  incorporates  the  principle  that 
formal  agency  adjudications  are  to  be  decided  solely  on  the  basis  of  record  evidence. 
It  provides  that  “[t]he  transcript  of  testimony  and  exhibits,  together  with  all  papers 


62  P.L.  107-296,  116  Stat.  2135,  §  214(a)(1)(A)  (codified  at  6  U.S.C.  §  133(a)(1)(A)). 

63  Under  exemption  3  of  the  FOIA,  information  protected  from  disclosure  under  other 
statutes  is  also  exempt  from  public  disclosure  provided  that  such  statute  requires  that  the 
matters  be  withheld  from  the  public  in  such  a  manner  as  to  leave  no  discretion  on  the  issue, 
or  establishes  particular  criteria  for  withholding  or  refers  to  particular  types  of  matters  to  be 
withheld.  Unlike  other  FOIA  exemptions,  if  the  information  requested  under  FOIA  meets 
the  withholding  criteria  of  exemption  3,  the  information  must  be  withheld.  See  5  U.S.C.  § 
552(b)(3). 

64  Department  of  Justice,  “Homeland  Security  Law  Contains  New  Exemption  3  Statute,” 
FOIA  Post  (2003). 

65  5  U.S.C.  §551  etseq. 

66  5  U.S.C.  §551(14). 


CRS-14 


and  requests  filed  in  the  proceeding,  constitutes  the  exclusive  record  for  decision.”67 
The  reason  for  this  “exclusiveness  of  record”  principle  is  to  provide  fairness  to  the 
parties  in  order  to  ensure  meaningfully  participation.  Challenges  to  the 
“exclusiveness  of  record”  occur  when  there  are  ex  parte  contacts  —  communications 
from  an  interested  party  to  a  decision  making  official  that  take  place  outside  the 
hearing  and  off  the  record. 

Section  557(d)(1)  of  the  APA  prohibits  any  “interested  person  outside  the 
agency”  from  making,  or  knowingly  causing,  “any  ex  parte  communication  relevant 
to  the  merits  of  the  proceeding”  to  any  decision  making  official.  Similar  restraints 
are  imposed  on  the  agency  decision  makers.68  When  an  improper  ex  parte  contact 
occurs,  the  APA  requires  that  it  be  placed  on  the  public  record;  if  it  was  an  oral 
communication,  a  memorandum  summarizing  the  contact  must  be  filed.69  Upon 
receipt  of  an  ex  parte  communication  knowingly  made  or  knowingly  caused  to  be 
made  by  a  party  in  violation  of  the  APA,  the  agency,  administrative  law  judge,  or 
other  employee  presiding  at  the  hearing  may  require  the  party  to  show  cause  why  his 
claim  or  interest  in  the  proceeding  should  not  be  dismissed,  denied,  disregarded,  or 
otherwise  adversely  affected  on  account  of  such  violation.70 

Prohibition  on  Use  of  PCII  in  Civil  Actions. 

Section  214(a)(1)(C)  of  the  CHA  creates  an  evidentiary  exclusion  for  PCII. 
Section  214(a)(1)(C)  prohibits  the  direct  use,  without  the  written  consent  of  the 
information  submitter,  of  protected  critical  infrastructure  information  by  such  agency 
(DHS),  any  other  federal,  state,  or  local  authority,  or  third  party  in  any  civil  action 
arising  under  federal  or  state  law  if  submitted  in  good  faith.  This  evidentiary 
limitation  does  not  apply  to  regulatory  or  enforcement  actions  by  federal,  state,  or 
local  governmental  entities,  nor  to  civil  actions  when  the  information  is  obtained 
independently  of  the  DHS.  Public  interest  groups  are  concerned  that  this  provision 
is  very  broad,  and  potentially  could  shield  owners  and  operators  from  liability  under 
antitrust,  tort,  tax,  civil  rights,  environmental,  labor,  consumer  protection,  and  health 
and  safety  laws. 

Prohibited  and  Protected  Disclosures. 

Section  214(a)(1)(D)  of  the  CIIA  prohibits  use  or  disclosure  of  critical 
infrastructure  information  by  U.S.  officers  or  employees,  without  consent,  for 
unauthorized  purposes.  This  section  authorizes  the  use  or  disclosure  of  such 
information  by  officers  and  employees  in  furtherance  of  the  investigation  or  the 
prosecution  of  a  criminal  act;  or  for  disclosure  to  Congress  or  the  Government 
Accountability  Office.  The  President’s  signing  statement  accompanying  the 
Homeland  Security  Act  of  2002  expressly  addressed  this  provision.  It  states  that 
“The  executive  branch  does  not  construe  this  provision  to  impose  any  independent 


67  Id.  at  §  556(e). 

68  5  U.S.C.  §  557(d)(1)(E). 

69  Id.  at  §  557(d)(1)(C). 

70  Id.  at  §  557(D). 


CRS-15 


or  affirmative  requirement  to  share  such  information  with  the  Congress  or  the 
Comptroller  General  and  shall  construe  it  in  any  manner  consistent  with  the 
constitutional  authorities  of  the  President  to  supervise  the  unitary  executive  branch 
and  to  withhold  information  the  disclosure  of  which  could  impair  foreign  relations, 
the  national  security,  the  deliberative  processes  of  the  Executive,  or  the  performance 
of  the  Executive’s  constitutional  duties.”71 

Access  under  State  and  Local  Laws. 

Section  §  214(a)(1)(E)  of  the  CIIA  specifically  mandates  that  the  critical 
infrastructure  information  now  exempt  under  the  FOIA  “shall  not,  if  provided  to  a 
State  or  local  government  ...  be  made  available  pursuant  to  any  State  or  local  law 
requiring  disclosure  of  information  or  records.”  This  statute  thus  explicitly  provides 
for  the  “preemption”  of  state  freedom  of  information  laws  by  federal  law.72  It  also 
prohibits  state  or  local  governments  from  disclosing  protected  critical  infrastructure 
information  provided  to  them  by  DHS  without  written  consent  of  the  entity 
submitting  the  information,  and  further  prohibits  its  use  for  other  than  critical 
infrastructure  protection,  or  the  furtherance  of  a  criminal  investigation  or  prosecution. 

Waiver  of  Privileges. 

Section  214(a)(1)(F)  of  the  CIIA  guards  against  “waiver  of  any  applicable 
privilege  or  protection  provided  under  law,  such  as  trade  secret  protection.”  Other 
relevant  evidentiary  privileges  may  include  the  attorney-client  privilege.73 

Federal  Advisory  Committee  Act. 

Section  214(b)  of  the  Act  provides  that  no  communication  of  critical 
infrastructure  information  to  the  Department  of  Homeland  Security  pursuant  to  the 
CIIA  shall  be  considered  an  action  subject  to  the  requirements  of  the  Federal 
Advisory  Committee  Act  (FACA).74  The  FACA  requires  that  meetings  of  federal 
advisory  committees  serving  executive  branch  entities  be  open  to  the  public.75  The 


71  The  White  House,  Statement  by  the  President  on  H.R.  5005,  the  Homeland  Secuirty  Act 
of  2002  (Nov.  25,  2002). 

72  See  also  Freedom  of  Information  Act  Guide  &  Privacy  Act  Overview  (May  2002),  at  563- 
64  (discussing  operation  of  “preemption  doctrine”  in  FOIA  context). 

73  See  Fed.  R.  Evid.  501. 

74  5  U.S.C.  App.  2. 

75  5  U.S.C.  App.  2,  §  3(2)  provides 

An  “advisory  committee”  means  “any  committee,  board,  commission,  council, 
conference,  panel,  task  force,  or  other  similar  group,  or  any  subcommittee  or 
other  subgroup  thereof  (hereafter  in  this  paragraph  referred  to  as  ‘’committee’  ‘), 
which  is  -  (A)  established  by  statute  or  reorganization  plan,  or  (B)  established  or 
utilized  by  the  President,  or  (C)  established  or  utilized  by  one  or  more  agencies, 
in  the  interest  of  obtaining  advice  or  recommendations  for  the  President  or  one 

(continued...) 


CRS-16 


FACA  also  specifies  nine  categories  of  information,  similar  to  those  in  FOIA,  that 
may  be  permissively  relied  upon  to  close  advisory  committee  deliberations. 

Prior  to  passage  of  the  CIIA,  meetings  of  Information  Sharing  and  Analysis 
Organizations  (IS AO)  could  potentially  be  subject  to  FACA’s  requirements.76 
However,  the  CIIA  expressly  authorizes  ISAOs  to  voluntarily  submit  information  to 
the  DHS  on  behalf  of  itself  or  its  members  with  the  result  being  that  such  information 
will  be  protected  in  material  respects  under  the  Act  from  uses  and  disclosures 
unrelated  to  critical  infrastructure  protection.77  For  a  discussion  of  information 
sharing  and  analysis  centers  formed  by  several  sectors  (e.g.,  banking  and  finance, 
telecommunications,  electricity,  water,  etc.),  see  CRS  Report  RL30153,  Critical 
Infrastructures:  Background,  Policy,  and  Implementation ,  by  John  Moteff. 

Independently  Obtained  Information. 

Section  §  214(c)  provides  that  a  Federal  entity  may  separately  obtain  critical 
infrastructure  information  submitted  to  the  DHS  for  its  critical  infrastructure 
protection  program  through  the  use  of  independent  legal  authorities,  and  use  such 
information  in  any  action. 7S  The  CIIA  does  not  limit  the  ability  of  governments, 
entities,  or  third  parties  to  independently  obtain  critical  infrastructure  information  or 
to  use  critical  infrastructure  information  for  limited  purposes. 


75  (...continued) 

or  more  agencies  or  officers  of  the  Federal  Government,  except  that  such  term 
excludes  (i)  any  committee  that  is  composed  wholly  of  full-time,  or  permanent 
part-time,  officers  or  employees  of  the  Federal  Government,  and  (ii)  any 
committee  that  is  created  by  the  National  Academy  of  Sciences  or  the  National 
Academy  of  Public  Administration.” 

76  P.L.  107-296,  §  212(5)  defines  “Information  Sharing  and  Analysis  Organization”  as 

any  formal  or  informal  entity  or  collaboration  created  or  employed  by  public  or 
private  sector  organizations,  for  purposes  of  —  (A)  gathering  and  analyzing 
critical  infrastructure  information  ...  (B)  communicating  or  disclosing  critical 
infrastructure  information  ...  and  (C)  voluntarily  disseminating  critical 
infrastructure  information.... 

77  Id.  at  §  212(7) 

78  Subsection  §  214(c)  provides:  “(c)  INDEPENDENTLY  OBTAINED  INFORMATION- 
Nothing  in  this  section  shall  be  construed  to  limit  or  otherwise  affect  the  ability  of  a  State, 
local,  or  Federal  Government  entity,  agency,  or  authority,  or  any  third  party,  under 
applicable  law,  to  obtain  critical  infrastructure  information  in  a  manner  not  covered  by 
subsection  (a),  including  any  information  lawfully  and  properly  disclosed  generally  or 
broadly  to  the  public  and  to  use  such  information  in  any  manner  permitted  by  law.” 


CRS-17 


Voluntary  Submissions  to  the  Government. 

Section  214(d)  provides  that  the  voluntary  submittal  to  the  government  of 
information  or  records  that  are  protected  from  disclosure  shall  not  be  construed  to 
constitute  compliance  with  any  requirement  to  submit  such  information  to  a  federal 
agency  under  any  other  law.  Prior  to  the  enactment  of  this  new  FOIA  exemption  3 
statute,  critical  infrastructure  information  submitted  to  the  government  would 
probably  have  fallen  under  exemption  4  (commercial  or  financial  information)  and 
its  release  under  FOIA  dependent  on  whether  it  was  submittted  voluntarily  or 
pursuant  to  requirement.  The  Report  of  the  House  Select  Committee  on  Homeland 
Security  accompanying  H.R.  5005  states  that  “The  Select  Committee  intends  that 
subtitle  C  only  protect  private,  security-related  information  that  is  voluntarily  shared 
with  the  government  in  order  to  assist  in  increasing  homeland  security.  This  subtitle 
does  not  protect  information  required  under  any  health,  safety,  or  environmental  law” 
(emphasis  added).79 

Safeguards  for  PCII. 

Section  214(e)  requires  the  Secretary  of  DHS  to  establish  procedures  for  the 
receipt,  care,  and  storage  of  critical  infrastructure  information  not  later  than  90  days 
after  enactment.80  The  Secretary  of  Homeland  Security  is  to  consult  with  the 
National  Security  Council  and  the  Office  of  Science  and  Technology  Policy  to 
establish  uniform  procedures. 

Criminal  Penalties. 

Section  214(f)  contains  a  provision  that  makes  it  a  criminal  offense  for  any 
federal  employee  to  “knowingly ...  disclose[] ...  any  critical  infrastructure  information 
[that  is]  protected  from  disclosure”  under  it,  without  proper  legal  authorization. 

(f)  PENALTIES-  Whoever,  being  an  officer  or  employee  of  the  United  States  or 
of  any  department  or  agency  thereof,  knowingly  publishes,  divulges,  discloses, 
or  makes  known  in  any  manner  or  to  any  extent  not  authorized  by  law,  any 
critical  infrastructure  information  protected  from  disclosure  by  this  subtitle 
coming  to  him  in  the  course  of  this  employment  or  official  duties  or  by  reason 
of  any  examination  or  investigation  made  by,  or  return,  report,  or  record  made 
to  or  filed  with,  such  department  or  agency  or  officer  or  employee  thereof,  shall 
be  fined  under  title  18  of  the  United  States  Code,  imprisoned  not  more  than  1 
year,  or  both,  and  shall  be  removed  from  office  or  employment. 


79  H.  Rep.  No.  107-609,  Homeland  Security  Act  of  2002,  p.  116. 

80  The  Homeland  Security  Act  took  effect  60  days  after  passage;  the  legislation  was  enacted 
on  November  25,  2002.  The  Secretary  was  to  establish  those  procedures  no  later  than 
February  23,  2003. 


CRS-18 


This  provision  is  similar  to  the  criminal  penalties  imposed  in  the  Privacy  Act81  and 
the  Trade  Secrets  Act.S2 

Other  Provisions. 

Section  214(g)  of  the  CIIA  authorizes  the  federal  government  to  provide 
advisories,  alerts,  and  warnings  to  relevant  companies,  targeted  sectors,  other 
government  entities,  or  the  general  public  regarding  potential  threats  to  critical 
infrastructure.  In  issuing  a  warning,  the  federal  government  must  protect  from 
disclosure  the  source  of  any  voluntarily  submitted  critical  infrastructure  information 
that  forms  the  basis  for  the  warning,  or  information  that  is  proprietary,  business 
sensitive,  or  otherwise  not  appropriately  in  the  public  domain. 

Section  215  of  CIIA  expressly  provides  that  a  private  right  of  action  for 
enforcement  of  the  Act  is  not  created. 

Final  Regulations. 

The  Department  of  Homeland  Security  recently  promulgated  the  final  rule  for 
“Procedures  for  Handling  Protected  Critical  Infrastructure  Information.”83  This  final 
rule,  which  became  effective  upon  publication  in  the  Federal  Register  September  1, 
2006,  amends  Homeland  Security  regulations  establishing  uniform  procedures  to 
implement  the  Critical  Infrastructure  Information  Act  of  2002.  These  procedures 
govern  the  receipt,  validation,  handling,  storage,  marking  and  use  of  critical 
infrastructure  information  voluntarily  submitted  to  the  Department  of  Homeland 
Security.  This  rule  applies  to  all  federal  agencies,  all  United  States  Government 


81  5  U.S.C.  §  552a  (i)(l)(“  Criminal  Penalties.  Any  officer  or  employee  of  an  agency,  who 
by  virtue  of  his  employment  or  official  position,  has  possession  of,  or  access  to,  agency 
records  which  contain  individually  identifiable  information  the  disclosure  of  which  is 
prohibited  by  this  section  or  by  rules  or  regulations  established  thereunder,  and  who 
knowing  that  disclosure  of  the  specific  material  is  so  prohibited,  willfully  discloses  the 
material  in  any  manner  to  any  person  or  agency  not  entitled  to  receive  it,  shall  be  guilty  of 
a  misdemeanor  and  fined  not  more  than  $5,000.”) 

82  18  U.S.C.  §  1905  (Whoever,  being  an  officer  or  employee  of  the  United  States  or  of  any 
department  or  agency  thereof,  any  person  acting  on  behalf  of  the  Office  of  Federal  Housing 
Enterprise  Oversight,  or  agent  of  the  Department  of  Justice  as  defined  in  the  Antitrust  Civil 
Process  Act  (15  U.S.C.  1311-1314),  publishes,  divulges,  discloses,  or  makes  known  in  any 
manner  or  to  any  extent  not  authorized  by  law  any  information  coming  to  him  in  the  course 
of  his  employment  or  official  duties  or  by  reason  of  any  examination  or  investigation  made 
by,  or  return,  report  or  record  made  to  or  filed  with,  such  department  or  agency  or  officer 
or  employee  thereof,  which  information  concerns  or  relates  to  the  trade  secrets,  processes, 
operations,  style  of  work,  or  apparatus,  or  to  the  identity,  confidential  statistical  data, 
amount  or  source  of  any  income,  profits,  losses,  or  expenditures  of  any  person,  firm, 
partnership,  corporation,  or  association;  or  permits  any  income  return  or  copy  thereof  or  any 
book  containing  any  abstract  or  particulars  thereof  to  be  seen  or  examined  by  any  person 
except  as  provided  by  law;  shall  be  fined  under  this  title,  or  imprisoned  not  more  than  one 
year,  or  both;  and  shall  be  removed  from  office  or  employment.”). 

83  71  Fed.  Reg.  52,261  (Sept.  1,  2006),  available  at  [http://a257-g.akamaitech.net/ 
7/257/2422/0  ljan20061800/edocket.access.gpo.gov/2006/06-7378.htm]. 


CRS-19 


contractors,  and  state,  local  and  other  governmental  entities  that  handle,  use,  store, 
or  have  access  to  critical  infrastructure  information  that  enjoys  protection  under  the 
Critical  Infrastructure  Information  Act  of  2002. 

Air  Transportation  Security  Act  of  1974 

Sensitive  Security  Information  (SSI).  The  law  governing  SSI  originated 
with  the  Air  Transportation  Security  Act  of  1974  (1974  Act),84  which  delegated 
authority  for  transportation  security  to  various  agencies  within  the  Department  of 
Transportation  (DOT).  The  1974  Act  specifically  authorized  the  Federal  Aviation 
Administration  (FAA)  to: 

prohibit  disclosure  of  any  information  obtained  or  developed  in  the  conduct  of 
research  and  development  activities  ...  if  in  the  opinion  of  the  Administrator  the 
disclosure  of  such  information  —  (A)  would  constitute  an  unwarranted  invasion 
of  personal  privacy. . . ;  (B )  would  reveal  trade  secrets  or  privileged  or  confidential 
commercial  or  financial  information  obtained  from  any  person;  or  (C)  would  be 
detrimental  to  the  safety  of  persons  traveling  in  air  transportation.85 

The  FAA  implemented  this  authority  by  promulgating  regulations,  which,  inter  alia , 
established  a  category  of  information  known  as  SSI.  As  late  as  1997,  the  DOT’s 
definition  of  SSI  included  “records  and  information  ...  obtained  or  developed  during 
security  activities  or  research  and  development  activities.”86  Encompassed  within 
this  definition  were  airport  and  air  carrier  security  programs,  as  well  as  specific 
details  concerning  aviation  security  measures.  Consistent  with  this  grant  of  authority, 
the  FAA  limited  the  applicability  of  the  SSI  regulation  to  airport  operators,  air 
carriers,  and  other  air  transportation  related  entities  and  personnel. 

After  the  attacks  of  September  11,  2001,  Congress  enacted  the  Aviation  and 
Transportation  Security  Act  (ATSA),  which,  in  addition  to  creating  new  security 
mandates,  established  the  Transportation  Security  Administration  (TSA)  within 
DOT,  and  transferred  the  responsibility  for  aviation  security  to  the  newly  created 
Under  Secretary  of  Transportation  for  Security.87  Among  the  legal  authorities 
transferred  to  the  Under  Secretary  was  the  protection  of  certain  information  vital  to 
transportation  security,  or  SSI.88  In  addition  to  transferring  SSI  classification 
authority  to  TSA,  the  ATSA  eliminated  the  statute’s  specific  reference  to  air 
transportation,  thereby  expanding  the  categories  of  information  that  can  be  classified 


84  Air  Transportation  Security  Act  of  1974,  P.L.  93-366,  §  316,  88  Stat.  409  (1974). 

8  5  Id. 

86  14C.F.R.  §  191.1  (1997). 

87  The  Under  Secretary  for  Transportation  Security  is  also  known  as  the  Administrator  of 
TSA. 

88  Aviation  and  Transportation  Security  Act,  P.L.  107-71,  §101  (e)(3),  115  Stat.  597,  603 
(2001)  (codified  at  49  U.S.C.  §  401 19  (2001)). 


CRS-20 


as  SSI.89  This  statutory  change  appears  to  permit  TSA  to  protect  SSI  with  respect  to 
virtually  all  forms  of  interstate  travel,  including  airplanes,  buses,  trains,  and  boats. 

Initially,  TSA  and  DOT  issued  regulations  that  in  large  part  simply  transferred 
the  aviation  security  regulations,  including  SSI  classification  authority,  from  the  FAA 
to  TSA.90  With  respect  to  SSI,  the  regulations  first  noted  the  expansion  of  authority 
to  all  modes  of  transportation.91  Given  this  expansion,  the  agency  determined  that 
while  the  Under  Secretary  was  given  the  ultimate  responsibility  for  carrying  out  the 
statute,  it  was  most  efficient  for  the  other  DOT  operating  administrators  (i.e.,  railway, 
highway,  transit,  and  pipeline)  to  have  day-to-day  responsibility  over  SSI  in  their  own 
modes  of  transportation.92 

Further  Statutory  Expansion  of  SSI  Authority.  In  2002,  Congress 
enacted  two  statutes,  the  Maritime  Transportation  Security  Act  (MTSA)93  and  the 
Homeland  Security  Act  of  2002, 94  both  of  which  have  had  a  significant  impact  on  the 
scope  and  applicability  of  SSI.  The  first  statute,  MTSA,  requires,  inter  alia ,  the 
Secretary  of  Homeland  Security95  to  prepare  a  National  Maritime  Transportation 
Security  Plan.96  As  a  part  of  the  national  plan,  the  Secretary  is  required  to  identify 
specific  vulnerable  areas  around  the  country  for  which  Area  Security  Plans  will  be 
developed.97  In  addition,  the  MTSA  requires  owners  and  operators  of  vessels  and 
facilities  to  develop  and  submit  to  the  Secretary  security  plans  that  will  be 
implemented  to  deter  security  incidents  to  the  maximum  extent  practicable.98  Finally, 
the  MTSA  provides  that  the  information  developed  under  this  statute  is  not  to  be 
disclosed  to  the  general  public.99  The  non-disclosure  provision  encompasses  all 


89  See  Aviation  and  Transportation  Security  Act,  P.L.  107-71,  §  101(e)(3),  115  Stat.  597, 603 
(2001) 

90  See  generally,  67  Fed.  Reg.  8340  (Feb.  22,  2002). 

91  See  id.  at  8342. 

92  See  id. 

93  See  Maritime  Transportation  Security  Act  of  2002,  P.L.  107-295,  §  102(a)  116  Stat.  2068 
(2002)  [hereinafter  MTSA], 

94  See  Homeland  Security  Act  of  2002,  P.L.  107-296,  §  1704(a)  116  Stat.  2135,  2314 
(2002). 

95  The  statute  specifically  references  the  “the  Secretary  of  the  department  in  which  the  Coast 
Guard  is  operating.”  See  MTSA,  supra  note  10  at  §  102(a)  (codified  at  46  U.S.C.  § 
70110(5)).  Currently,  the  Coast  Guard  is  operating  under  the  Department  of  Homeland 
Security.  See  Homeland  Security  Act,  supra  note  1 1  at  §  1704(a)  (amending  the  Coast 
Guard’s  authorizing  statute,  14  U.S.C.  §  1,  by  replacing  “Department  of  Transportation” 
with  “Department  of  Homeland  Security”). 

96  See  MTSA,  supra  note  10  at  §  102(a)  (codified  as  amended  at  46  U.S.C.  §  70103(a) 

(2002)). 

97  See  id.  (codified  as  amended  at  46  U.S.C.  §  70103(b)  (2002)). 

98  See  id.  (codified  as  amended  at  46  U.S.C.  §  70103(c)  (2002)). 

99  Id.  (codified  as  amended  at  46  U.S.C.  §  70103(d))  (stating  that  “  [notwithstanding  any 

(continued...) 


CRS-21 


“facility  security  plans,  vessel  security  plans,  and  port  vulnerability  assessments;  and 
...  other  information  related  to  security  plans,  procedures,  or  programs  forvessels  or 
facilities  authorized  under  this  chapter.”100  The  non-disclosure  language,  however, 
makes  no  reference  to  the  information  being  classified  as  SSI,  nor  does  it  specifically 
refer  in  any  way  to  the  TSA  and  its  statutory  authority  to  regulate  transportation 
security  information. 

In  addition  to  MTS  A,  Congress  also  passed  the  Homeland  Security  Act  of  2002, 
which,  inter  alia ,  transferred  TSA,  along  with  its  SSI  classification  authority,  to  the 
newly  created  Department  of  Homeland  Security  (DHS). 101  The  transfer  of  authority, 
however,  required  that  TSA  “shall  be  maintained  as  a  distinct  entity  within  the 
Department  under  the  Under  Secretary  for  Border  Transportation.”102  This  distinct 
entity  requirement  was  effective  for  the  first  two  years  of  DHS’s  existence  and 
expired  on  November  25,  2004. 103  It  should  be  noted  that  TSA  was  not  the  only 
agency  that  was  transferred  to  DHS  as  a  distinct  entity.  Other  such  agencies  include 
the  Coast  Guard104  and  the  United  States  Secret  Service,  whose  status  as  distinct 
entities,  however,  unlike  TSA’s,  do  not  contain  sunset  provisions.105 

The  Homeland  Security  Act  of  2002  also  re-codified  and  further  amended 
TSA’s  authority  to: 

prescribe  regulations  prohibiting  the  disclosure  of  information  obtained  or 
developed  in  carrying  out  security  under  authority  of  the  Aviation  and 
Transportation  Security  Act  (Public  Law  107-71)  or  under  chapter  449  of  this 
title  if  the  Under  Secretary  decides  that  disclosing  the  information  would  —  (A) 
be  an  unwarranted  invasion  of  personal  privacy;  (B)  reveal  a  trade  secret  or 
privileged  or  confidential  commercial  or  financial  information;  or  (C)  be 
detrimental  to  the  security  of  transportation. 106 

In  addition  to  the  amendment  to  the  definition  of  SSI,  the  Homeland  Security  Act  of 
2002  specifically  prohibits  the  Under  Secretary  from  transferring  its  SSI 
classification  authority  to  “another  department,  agency,  or  instrumentality  of  the 
United  States,”  unless  otherwise  authorized  by  law.107  Moreover,  the  Homeland 
Security  Act  of  2002  amended  the  existing  DOT  authority  with  respect  to  SSI  such 


99  (...continued) 

other  provision  of  law,  information  developed  under  this  chapter  is  not  required  to  be 
disclosed  to  the  public  ...”) 

100  Id. 

101  See  generally,  Homeland  Security  Act,  supra  note  94. 

102  See  id.  at  §  424(a). 

103  Id.  at  §  424(b)  (stating  that  “subsection  (a)  shall  expire  2  years  after  the  date  of  enactment 
of  this  Act”). 

104  See  id.  at  §  888. 

105  See  id.  at  §  821. 

106  See  id.  at  §  1601(b)  (codified  as  amended  at  49  U.S.C.  §  1 14(s)  (2002)). 

107  See  id.  (codified  at  49  U.S.C.  §  1 14(s)(3)  (2002)). 


CRS-22 


that  it  would  be  virtually  identical  to  the  TSA  authority.108  The  only  difference 
between  the  two  statutes  is  contained  in  subpart  (C),  which  provides  DOT  with 
authority  to  prohibit  disclosure  of  information  that  would  be  “detrimental  to 
transportation  safety.”109  By  removing  any  reference  to  persons  or  passengers, 
Congress  again  significantly  broadened  the  scope  of  the  SSI  authority.  As  a  result, 
it  appears  that  the  authority  to  designate  information  as  SSI  now  encompasses  all 
transportation  related  activities  including  air  and  maritime  cargo,  trucking  and  freight 
transport,  as  well  as  pipelines. 

On  May  18,  2004,  TSA,  functioning  as  distinct  entity  within  DHS,  and  DOT 
jointly  promulgated  revised  SSI  regulations  in  response  to  their  newly  expanded 
statutory  authority.110  These  revised  regulations  adopt  the  Homeland  Security  Act 
language  as  the  definition  of  SSI.  In  addition,  the  new  regulations  incorporate  former 
SSI  provisions,  including  the  sixteen  categories  of  information  and  records  that 
constitute  SSI.  Included  among  these  categories  are:  security  programs  and 
contingency  plans;111  security  directives;112  security  measures;113  security  screening 
information;114  and  a  general  category  consisting  of  “other  information.”115  With 


108  See  id.  (codified  as  amended  at  49  U.S.C.  §  401 19  (2002)). 

109  Id. 

110  See  69  Fed.  Reg.  28066,  28069  (May  18,  2004). 

1 1 1  This  section  includes 

any  security  program  or  security  contingency  plan  issued,  established,  required, 
received,  or  approved  by  DOT  or  DHS,  including:  —  (i)  Any  aircraft  operator 
or  aiiport  operator  security  program  or  security  contingency  plan  under  this 
chapter;  ...  (iii)  Any  national  or  area  security  plan  prepared  under  46  U.S.C. 
70103;.... 

See  49  CFR  §  1520.5(b)(1)  (2004). 

112  Defined  as  “any  Security  Directive  or  order:  (i)  Issued  by  TSA  under  49  CFR  1542.303, 
1544.305,  or  other  authority;  (ii)  Issued  by  the  Coast  Guard  under  the  Maritime 
Transportation  Security  Act,  33  CFR  part  6,  or  33  U.S.C.  1221  et  seq.  related  to  maritime 
security;  or  (iii)  Any  comments,  instructions,  and  implementing  guidance  pertaining  thereto. 
See  49  CFR  §  1520.5(b)(2)  (2004). 

113  Defined  as  including 

specific  details  of  aviation  or  maritime  transportation  security  measures,  both 
operational  and  technical,  whether  applied  directly  by  the  Federal  government 
or  another  person,  including  —  (i)  Security  measures  or  protocols  recommended 
by  the  Federal  government;  (ii)  Information  concerning  the  deployments, 
numbers,  and  operations  of  ...  Federal  Air  Marshals,  to  the  extent  it  is  not 
classified  national  security  information;.... 

See  49  CFR  §  1520.5(b)(8)  (2004). 

114  Including: 

information  regarding  security  screening  under  aviation  or  maritime 
transportation  security  requirements  of  Federal  law:  (i)  Any  procedures, 
including  selection  criteria  and  any  comments,  instructions,  and  implementing 
guidance  pertaining  thereto,  for  screening  of  persons,  accessible  property, 
checked  baggage,  U.S.  mail,  stores,  and  cargo,  that  is  conducted  by  the  Federal 
government  or  any  other  authorized  person;  (ii)  Information  and  sources  of 

(continued...) 


CRS-23 


respect  to  the  regulation’ s  application  to  information  governed  by  the  language  in  the 
MTS  A,  TSA  indicated  that  “[w]hile  the  MTSA  provides  broad  limitations  on  public 
disclosure  of  the  information  related  to  maritime  security  requirements  (see  46 
U.S.C.  70103),  it  does  not  establish  binding  requirements  for  owners  and  operators 
of  maritime  transportation  facilities  and  vessels  to  safeguard  the  information  from 
disclosure.”116  TSA  concluded  that,  because  the  lack  of  a  legal  and  regulatory 
framework  was  prohibiting  dissemination  to  those  that  needed  it,  there  was  an 
“immediate  need  to  expand  the  existing  regulatory  framework  governing  information 
related  to  aviation  security  to  cover  information  related  to  security  of  maritime 
transportation.”117 

Judicial  Review  of  SSI  Classification.  Since  2001,  the  implementation 
and  use  of  the  SSI  regulations  by  TSA  have  created  a  number  of  legal  controversies 
that  have  resulted  in  both  criminal  and  civil  litigation  in  federal  court.  Among  these 
are  the  reported  withdrawal  of  two  federal  criminal  prosecutions  involving  TSA 
baggage  screeners  for  fear  that  proceeding  would  require  the  public  disclosure  of 
SSI.lls  Based  on  an  electronic  search  of  both  published  and  unpublished  federal 
court  opinions,  it  appears  that  there  have  been  more  than  a  dozen  reported  decisions 
or  orders  involving  the  procedural  requirements  for  the  use  and/or  disclosure  of  SSI. 
Two  of  these  reported  cases  have  been  criminal  prosecutions.  In  one  case,  the 
reviewing  court  determined  that  despite  the  liberal  discovery  permitted  to  criminal 
defendants  under  the  Federal  Rules  of  Criminal  Procedure,  the  government  was 
entitled  to  withhold  information  from  defendants  pursuant  to  the  SSI  statute.119  In 
the  other,  the  government  argued  that  the  information  being  sought  by  the  defendant 
was  designated  SSI  and,  therefore,  protected  from  the  defendant’ s  discovery  request. 
The  court,  however,  decided  the  case  on  alternative  grounds  without  addressing  the 
SSI  statute  or  the  government  claims  to  protection.120 


114  (...continued) 

information  used  by  a  passenger  or  property  screening  program  or  system, 
including  an  automated  screening  system;  (iii)  Detailed  information  about  the 
locations  at  which  particular  screening  methods  or  equipment  are  used,  only  if 
determined  by  TSA  to  be  SSI;  .... 

See  49  CFR  §  1520.5(b)(9)  (2004). 

115  The  “other  information”  category  includes  “[a]ny  information  not  otherwise  described 
in  this  section  that  TSA  determines  is  SSI  under  49  U.S.C.  1 14(s)  or  that  the  Secretary  of 
DOT  determines  is  SSI  under  49  U.S.C.  401 19.  Upon  the  request  of  another  Federal  agency, 
TSA  or  the  Secretary  of  DOT  may  designate  as  SSI  information  not  otherwise  described  in 
this  section.”  See  49  CFR  §  1520.5(b)(  16)  (2004). 

116  Id. 

111  Id. 

118  For  a  more  detailed  discussion  of  the  controversies  that  have  arisen  as  a  result  of  SSI 
implementation,  see  Mitchel  A.  Sollenberger,  CRS  Report  RS21727  Sensitive  Security 
Infomation  (SSI)  and  Transportation  Security:  Background  and  Con  troversies. 

119  See  United  States  v.  Moussaoui,  2002  WL  1311736  (E.D.  Va.  2002)  (ordering  defense 
counsel  not  to  disclose  any  information  designeated  SSI  to  the  defendant  in  any  form). 

120  See  United  States  v.  Louis,  2005  WL  180885  (S.D.N.Y.  2005)  (granting  a  government 

(continued...) 


CRS-24 


With  respect  to  civil  actions  involving  SSI,  the  courts  appear  to  be  using  a 
variety  of  procedures  to  address  issues  raised  by  or  related  to  information  classified 
by  the  government  as  SSL  The  most  common  procedure  appears  to  be  the  use  of  ex 
parte,  in  camera  reviews  of  submitted  material.121  For  example,  in  Gordon  v.  F.B.I, 
a  Freedom  of  Information  Act  suit  regarding  the  administration  of  TSA’s  “no  fly” 
and  other  aviation  watch  lists,  the  government  claimed  numerous  SSI  exemptions  and 
resisted  disclosing  information  to  the  plaintiffs.122  The  District  Court  for  the 
Northern  District  of  California  ordered  that  the  government  “produce  copies  of  all 
withheld  evidence  for  the  Court’s  review”  as  well  as  ordered  that  the  government 
review  all  withheld  information  to  ensure  that  it  was  exempted  in  good  faith  and 
provide  a  detailed  affidavit  explaining  why  the  material  was  exempt  from 
disclosure.123  In  response  to  the  information  and  affidavits  received,  the  plaintiffs 
argued  that  TSA  had  not  provided  enough  detail  about  the  withheld  information  and 
that  they  had  not  sufficiently  segregated  non-SSI  material  from  that  which  received 
the  designation.124  The  court  disagreed,  noting  that  it  “has  reviewed  in  camera  all  of 
the  redacted  SSI  and  has  determined  that  all  of  it  is  properly  withheld.”125  In 
addition,  the  court  also  stated,  with  respect  to  the  segregation  issue,  “the  Court  has 
reviewed  each  of  the  SSI  redactions  in  camera  and  had  determined  that  each  is 
properly  asserted.”126  Similarly,  in  Jifry  v.  FAA,  which  involved  a  challenge  to  an 
FAA  order  revoking  the  airmen  certificates  of  several  alien  pilots  on  the  grounds  that 
they  posed  security  risks,  the  United  States  Court  of  Appeals  for  the  District  of 
Columbia  Circuit  held  that,  although  SSI  had  been  relied  upon  by  the  government  in 
deciding  to  revoke  the  certificates,  there  was  no  due  process  violation  because, 
among  other  procedural  protections,  the  pilots  were  afforded  an  “ex parte,  in  camera 
judicial  review”  of  the  entire  administrative  record.127 

In  addition  to  the  use  of  ex  parte,  in  camera  review,  several  courts  have 
examined  claimed  SSI  exemptions  using  a  more  traditional  analysis  under  the 
Freedom  of  Information  Act  (FOIA).128  The  statutes  authorizing  the  classification 
of  information  as  SSI  have  been  held  to  be  an  “exemption  3  statute”  thereby, 
authorizing  the  withholding  of  information  sought  under  the  FOIA.  Generally 


120  (...continued) 

motion  to  quash  subpoenas  and  document  productions  issued  to  DHS  employees  on 
alternative  grounds). 

121  See,  e.g.,  Jifry  v.  FAA,  370  F.3d  1 174  (D.C.  Cir.  2004);  Torbet  v.  United  Airlines,  Inc., 
298  F.3d  1087  (9lh  Cir.  2002);  Boles  v.  Neet,  402  F.Supp.2d  1237  (D.  Col.  2005);  Gordon 
v.  F.B.I.,  388  F.Supp.2d  1028  (N.D.  Ca.  2005). 

122  Gordon  v.  F.B.I. ,  388  F.Supp.2d  1028  (N.D.  Ca.  2005) 

123  Id.  at  1033-34. 

124  Id.  at  1035. 

125  Id. 

126  Id. 

127  Jifry  v.  FAA,  370  F.3d  1 174,  1183  (D.C.  Cir.  2004). 

128  See,  e.g.,  Electronic  Privacy  Information  Center  v.  D.H.S.,  384  F.Supp.2d  100  (D.D.C. 
2005);  Judicial  Watch,  Inc.  v.  D.O.T.,  2005  WL  1606915  (D.D.C.  2005). 


CRS-25 


speaking,  in  responding  to  FOIA  requests,  the  government  is  required  to  submit  a 
“  Vaughn  Index,”  which  is  a  document  that  describes  withheld  or  redacted  documents 
and  explains  why  each  withheld  record  is  exempt  from  disclosure.129 

Courts  that  have  been  faced  with  Vaughn  Indexes  claiming  protections  under 
the  SSI  statute  have  reviewed  the  sufficiency  of  the  government’s  explanations  and 
descriptions  with  mixed  results.  In  Electronic  Privacy  Information  Center  v. 
D.H.S.,  the  District  Court  for  the  District  of  Columbia  held  that  with  respect  to  one 
document  the  court  “does  not  have  enough  information  to  gauge  wither  TSA 
document  E  falls  under  exemption  3.” 130  The  court  noted  that  the  government  merely 
asserted  that  the  documents  contained  SSI  without  any  additional  details.131 
According  to  the  court,  while  the  government  is  not  required  to  describe  the  SSI  in 
such  detail  as  to  reveal  the  information,  “they  must  provide  a  more  adequate 
description  in  order  to  justify  the  application  of  the  exemption  to  the  withheld 
material.”132  As  a  result,  the  court  ordered  the  government  to  submit  a  supplemental 
Vaughn  Index  with  a  more  detailed  description.133  Conversely,  in  Judicial  Watch, 
Inc.  v.  D.O.T.  the  plaintiffs  argued  that  the  government’s  Vaughn  Index  was  too 
vague  to  establish  that  the  withheld  documents  were  covered  by  exemption  3. 134  The 
court,  noting  that  the  government  had  submitted  a  revised  Vaughn  Index  along  with 
supporting  documents,  cited  a  government  provided  affidavit  indicating  that  TSA 
determined  the  information  to  be  SSI  because  its  release  “may  reveal  a  systematic 
vulnerability  of  the  aviation  system  or  a  vulnerability  of  aviation  facilities  vulnerable 
to  attack.”135  Based  on  the  information  contained  in  the  revised  Vaughn  Index  and 
supporting  documents,  the  court  concluded  that  “DOT  has  satisfied  its  burden  of 
establishing  that  the  challenged  documents  were  properly  withheld  under  [FOIA] 
exemption  3.”136  Based  on  these  two  reported  cases,  it  appears  that  the  government’s 
ability  to  withhold  information  pursuant  to  SSI  depends  largely  on  the  adequacy  of 
the  explanations  that  it  provides  to  the  court  through  its  Vaughn  Index  and  supporting 
documentation. 

Finally,  there  have  been  several  reported  cases  that  have  utilized  alternative 
procedures  for  dealing  with  information  deemed  by  the  government  to  be  SSI.  These 
procedures  have  included  ordering  the  parties  to  provide  the  court  with  recommended 
security  procedures  before  proceeding;137  ordering  TSA  to  file  a  redacted  motion  for 


129  See  Vaughn  v.  Rosen,  484  F.2d  820,  826-28  (D.C.  Cir.  1973). 

130  Electronic  Privacy  Information  Center  v.  D.H.S.,  384  F.Supp.2d  100, 1 10  (D. D.C.  2005). 

131  Id. 

132  Id.  {citing  Mead  Data  Cent.  Inc.  v.  U.S.  Dep’ t  of  Air  Force,  566  F.2d  242,  261  (D.C.  Cir. 
1977);  Vaughn,  484  F.2d  at  827). 

133  See  id. 

134  See  Judicial  Watch,  Inc.  v.  D.O.T.,  2005  WL  1606915,  *10  (D.D.C.  2005). 

135  Id.  at  *11. 

136  Id. 

137  See  Mariani  v.  United  Airlines,  Inc.,  2002  WL  1685382,  *  2  (S.D.N.Y.  2002). 


CRS-26 


summary  judgment  with  the  court  under  seal; 138  declining  to  review  a  TS  A  final  order 
classifying  information  as  SSI  and  advising  plaintiffs  of  their  ability  to  appeal  to  the 
Court  of  Appeals;139  and  finally,  ordering  that  TSA  attorneys  be  present  at 
depositions  in  order  to  protect  SSI  from  being  disclosed  during  the  questioning  of 
witnesses.140 


138  See  Kalantar  v.  Lufthansa  German  Airlines,  276  F.Supp.2d  5,  14  (D.D.C.  2003). 

139  See  Ahmed  v.  American  Airlines,  2003  WL  1973168  *2  (W.D.  Tx.  2003). 

140  See  In  Re  September  11  Litigation,  2006  WL  846346  *10  (S.D.N.Y.  2006). 


